A global cyber-attack that affected companies around the world may have started via corrupted updates on a piece of accountancy software.

Fingers are increasingly pointing to a piece of Ukrainian tax-filing software, MEDoc, as the source of the infection, although the company denies it.

A growing number of security experts, including the British malware expert Marcus Hutchins - credited with ending the WannaCry ransomware outbreak - claim to have logs that reveal MEDoc as the source.

In email correspondence with the BBC, Mr Hutchins said: "It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software."

It was not yet clear how it had been compromised, he added.

MEDoc has denied the claims, in a Facebook post - but in a blog post analysing how the infection had taken hold on Windows machines, Microsoft also points the finger at the accounting software: "Active infections of the ransomware initially started from the legitimate MEDoc update process," it writes.

Alan Woodward, a computer scientist from the University of Surrey, said: "The ironic thing about this situation (if it proves to be the case) is that we always advise users to keep their software up to date, ideally using automated updates. However, it assumes hackers can't take over the update process and misuse it."

Most security experts agree that the virus, thought to be a new variant of the Petya ransomware, was spread using a Windows vulnerability known as Eternal Blue, discovered by the National Security Agency and leaked online.

Mr Hypponen told the BBC that it was "completely clear" that hackers in both WannaCry and Petya outbreaks had used the NSA exploit.

The fact that it had now been leaked and was being used by criminal or political hackers was "a nightmare scenario" for the intelligence agency, he said: "It chose to use the exploit, not tell Microsoft about it and weaponise it, and now it has been leaked, made public and used in an attack," he said.

The fact that it had now been leaked and was being used by criminal or political hackers was "a nightmare scenario" for the intelligence agency, he said: "It chose to use the exploit, not tell Microsoft about it and weaponise it, and now it has been leaked, made public and used in an attack," he said.

If you haven't applied the MS17-010 patch, which has been now available for 3-months. (Especially after the giant red flag about a month ago when WannaCry first came out)... you definitely deserve to be hacked at this point.

IT Teams fail to apply patches, even after a massive cyberattack that should have warned everyone to fix MS17-010 on their systems. Then they blame other people because of their problems. Hint: the MS17-010 attack has been known for three months, and this is the SECOND time MS17-010 has been exploited in a worldwide cyberattack.

Its about fucking time for IT Teams to close the fucking barndoor. Patch your fucking systems, do your fucking job. There's no excuse at this point, especially since the WannaCry attack started in MAY.

Microsoft has had patch installations instructions here since March 13, 2017. Your system has been automatically fixed updated if you've had any of the annoying "Forced reboots" between March and Today... unless your system administrator disabled updates for some reason.

Virus writers will continue to exploit MS17-010 till the end of time. Its just like Conflicker (MS08-067). Until all computers were protected against MS08-067, Conflicker continued to spread like wildfire. And then there were Conflicker copycats who learned from MS08-067 and Conflicker, and improved upon the technique. But it doesn't matter, just fix your computer against MS17-010 and you'll never have to worry about WannaCry (1.0) or Petya (1.0) ever again.

If you read the article, multiple attack vectors were used, pointing to a state-sponsored attack. The exploit the NSA found and weaponised was only one such vector - you could have patched that and still been vulnerable - especially since the virus got in through automated patching - ie. not requiring anyone to click on a dodgy email link etc.

In fact, unless I'm reading it wrong, even machines completely up to date on Windows patches would have been hit, they just needed to be running this tax software. In essence, this is a zero-day exploit that you can't guard against unless you don't automatically apply patches...